[PM-33889] Innovation Sprint Bitwarden Receive by harr1424 · Pull Request #19949 · bitwarden/clients

harr1424 · 2026-04-02T17:50:54Z

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-33889

📔 Objective

Bitwarden Receive

* Add owner creation crypto flow

* [PM-34139] upload page * [PM-34139] fixing strict mode related errors * [PM-34139] fixing signal issue and type errors * [PM-34139] refactoring, adding error handling and messaging, file size check * [PM-34139] removing unnecessary dependencies, fixing typecheck error

* Add functions for building receive URL

* Api service for receive * Add data objects * Fix types * fix type * Change file to files

* Create Receive page

* Add file download decryption * fix lint * Update naming

* Create Receive page

* [PM-34212] initial integration of receive-related services * [PM-34212] From Guid to ReceiveId for receive id, plus dependency change * [PM-34212] fixing typecheck for publickey

* Add receive state and sync handling * Fix DI

* Add dropzone component * Simplify the component slightly * Add file list and file upload component * Add story with files

* Create View Receive component

* Add update and create * Go to one view model * Fix types

* Wire up receive state * Fix round trip

…nload flow (#19911) * update models and api to match server * Apply suggestions from code review Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Wire receive UI to real data, implement file upload/download service, and add tests * Add view for downloading files (#19913) --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>

* Add owner email to share data * Add successful file upload

) * [PM-34465] using file upload component with multiple file select * [PM-34465] code review fixes and more fleshing out of file upload result content

* Tweak add-edit component, use bitSubmit, use card * Polish file upload flow * Tweak file upload to match figma * Change file list to use small button * Tweak file view to include tile and filesize in secondary * Add card to receive view * Fix headers

* implemented UI to indicate receive not-accessible for uploaders * fix typecheck error

codecov · 2026-04-02T17:59:23Z

Codecov Report

❌ Patch coverage is 25.32562% with 516 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.30%. Comparing base (78149dd) to head (7958d5a).
⚠️ Report is 93 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...pps/web/src/app/tools/receive/receive.component.ts	0.00%	72 Missing ⚠️
...app/tools/receive/receive-file-upload.component.ts	0.00%	65 Missing ⚠️
.../tools/receive/services/default-receive.service.ts	45.88%	46 Missing ⚠️
...s/components/src/file-upload/dropzone.component.ts	10.00%	45 Missing ⚠️
...rc/app/tools/receive/receive-add-edit.component.ts	0.00%	44 Missing ⚠️
...ls/receive/services/default-receive-api.service.ts	0.00%	26 Missing ⚠️
...eb/src/app/tools/receive/receive-view.component.ts	0.00%	18 Missing ⚠️
libs/common/src/platform/sync/core-sync.service.ts	15.78%	16 Missing ⚠️
...ve/models/response/receive-shared-data.response.ts	0.00%	16 Missing ⚠️
.../components/src/file-upload/file-upload.stories.ts	0.00%	16 Missing ⚠️
... and 29 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #19949      +/-   ##
==========================================
- Coverage   46.48%   46.30%   -0.18%     
==========================================
  Files        3828     3900      +72     
  Lines      114253   116051    +1798     
  Branches    17459    17631     +172     
==========================================
+ Hits        53110    53739     +629     
- Misses      58718    59867    +1149     
- Partials     2425     2445      +20

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

github-actions · 2026-04-02T18:00:41Z

Checkmarx One – Scan Summary & Details – 5cf5d10b-b26e-4adc-bfa4-d6fa2c8b7972

New Issues (33)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 332	details Method Lambda at line 332 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
2	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 364	details Method Lambda at line 364 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
3	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 332	details Method Lambda at line 332 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
4	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 364	details Method Lambda at line 364 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
5	Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... Attack Vector
6	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 401	details Method Lambda at line 401 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
7	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 401	details Method Lambda at line 401 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
8	SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
9	SSRF	/libs/common/src/services/api.service.ts: 1324	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
10	SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
11	SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
12	SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
13	SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
14	SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
15	SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
16	SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
17	CVE-2025-13466	Npm-body-parser-2.2.0	details Recommended version: 2.2.1 Description: body-parser in version 2.2.0 is vulnerable to Denial-of-Service (DoS) due to inefficient handling of URL-encoded bodies with very large numbers of ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18	Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... Attack Vector
19	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... Attack Vector
20	HttpOnly_Cookie_Flag_Not_Set	/apps/desktop/src/platform/services/server-communication-config/default-server-communication-config.service.ts: 71	details The web application's getCookies method creates a cookie cookies, at line 71 of /apps/desktop/src/platform/services/server-communication-config/d... Attack Vector
21	HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... Attack Vector
22	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipher, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
23	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 402	details The application takes sensitive, personal data cipherService, found at line 402 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... Attack Vector
24	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 76	details The application takes sensitive, personal data password, found at line 76 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
25	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 387	details The application takes sensitive, personal data cipher, found at line 387 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
26	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 81	details The application takes sensitive, personal data password, found at line 81 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
27	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
28	SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 219	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in . The rejectUnauthorized parameter, at line 219, effectively disables verifi... Attack Vector
29	SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 301	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in Lambda. The rejectUnauthorized parameter, at line 301, effectively disables ... Attack Vector
30	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/svg/svg.component.ts: 29	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/svg/svg.component.ts in ... Attack Vector
31	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... Attack Vector
32	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 107	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
33	Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Cx54379275-7f08~~	Npm-es5-ext-0.10.64

* Add sync notification handling for receives

* Create View Receive component

sonarqubecloud · 2026-04-06T09:02:18Z

Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.8% Duplication on New Code

See analysis details on SonarQube Cloud

bw-ghapp · 2026-04-06T09:13:59Z

Changes in this PR impact the Autofill experience of the browser client

BIT has tested the core experience with these changes and the feature flag configuration used by vault.bitwarden.com.

✅ Fortunately, these BIT tests have passed! 🎉

bw-ghapp · 2026-04-06T09:14:11Z

Changes in this PR impact the Autofill experience of the browser client

BIT has tested the core experience with these changes and all feature flags disabled.

✅ Fortunately, these BIT tests have passed! 🎉

Thomas-Avery and others added 23 commits March 25, 2026 14:42

[PM-34066] Add owner creation crypto flow (#19758)

e8ff2ef

* Add owner creation crypto flow

Add uploader crypto flows (#19770)

564f89d

[PM-34068] Add decryptReceive (#19789)

d9c36af

[PM-34070] Add function for building receive url (#19791)

6f8025b

* Add functions for building receive URL

Api service for receive (#19805)

b3a194e

* Api service for receive * Add data objects * Fix types * fix type * Change file to files

Tools/pm 34046/new receive management page (#19747)

6dc4b38

* Create Receive page

[PM-34257] Add file download decryption (#19831)

28d8fc7

* Add file download decryption * fix lint * Update naming

Tools/pm 34051/create receive componenet (#19776)

ee9ba00

* Create Receive page

[PM-34212] initial integration of receive-related services (#19832)

af3493b

* [PM-34212] initial integration of receive-related services * [PM-34212] From Guid to ReceiveId for receive id, plus dependency change * [PM-34212] fixing typecheck for publickey

[PM-34421] Add receive state and sync handling (#19878)

3f51291

* Add receive state and sync handling * Fix DI

[PM-34381] Add dropzone component (#19860)

d05f601

* Add dropzone component * Simplify the component slightly * Add file list and file upload component * Add story with files

Tools/pm 34419/view receives page (#19872)

b6ae07d

* Create View Receive component

[PM-34477] Wire up create and edit receives (#19892)

ecaeb85

* Add update and create * Go to one view model * Fix types

[PM-34479] Wire up receive state (#19901)

81709b1

* Wire up receive state * Fix round trip

URL and files fixes (#19924)

b475d65

[PM-34543] Add owner email to share data (#19927)

8f25b9f

* Add owner email to share data * Add successful file upload

[PM-34465] using file upload component with multiple file select (#19929

3e7dbd5

) * [PM-34465] using file upload component with multiple file select * [PM-34465] code review fixes and more fleshing out of file upload result content

[PM-34561] improving UI for receive file upload results page (#19942)

8dd5878

implement search (#19940)

99ed264

[PM-34270] Add messages for Receive inaccessible states (#19944)

78cb176

* implemented UI to indicate receive not-accessible for uploaders * fix typecheck error

Hinton added the hold Hold this PR or item until later; DO NOT MERGE label Apr 2, 2026

Thomas-Avery and others added 3 commits April 2, 2026 14:23

Add sync notification handling for receives (#19950)

2d1265f

* Add sync notification handling for receives

Tools/pm 34057/create receive success page (#19936)

8ad7da1

* Create View Receive component

Misc cleanup to make the components use modern angular (#19967)

7958d5a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PM-33889] Innovation Sprint Bitwarden Receive#19949

[PM-33889] Innovation Sprint Bitwarden Receive#19949
harr1424 wants to merge 26 commits into
mainfrom
PM-33889-Innovation-sprint-Bitwarden-Receive

harr1424 commented Apr 2, 2026

Uh oh!

codecov Bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 2, 2026 •

edited

Loading

Uh oh!

sonarqubecloud Bot commented Apr 6, 2026

Uh oh!

bw-ghapp Bot commented Apr 6, 2026

Uh oh!

bw-ghapp Bot commented Apr 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

harr1424 commented Apr 2, 2026

🎟️ Tracking

📔 Objective

Uh oh!

codecov Bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions Bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sonarqubecloud Bot commented Apr 6, 2026

Quality Gate passed

Uh oh!

bw-ghapp Bot commented Apr 6, 2026

Changes in this PR impact the Autofill experience of the browser client

Uh oh!

bw-ghapp Bot commented Apr 6, 2026

Changes in this PR impact the Autofill experience of the browser client

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

codecov Bot commented Apr 2, 2026 •

edited

Loading

github-actions Bot commented Apr 2, 2026 •

edited

Loading